Reputation: 3787
For a given Azure AD Service Principal, Get a list of the Azure Objects and Rights
We are trying to figure out all the rights an Azure Active Directory Service Principal (AADSP) has to objects in our Azure tenant.
For example an AADSP might have:
- Read rights to SharePoint Online site collection A
- Write permissions to SharePoint Online site collection B
- Get permission to Azure Function A
- Post permission to Azure Function B
- Select permissions to SQL Database A
We are hoping that this information to stored in a collection within the Service Principal object. But we have not been able to locate the collection using Azure Graph.
https://graph.microsoft.com/v1.0/servicePrincipals
Is our only option to loop thru all Azure objects and check each object's permission and see which Service Principal have been granted rights?
Upvotes: 0
Views: 737
Answers (1)
Reputation: 3495
There's no single API to query all sets of permissions given to a SP: application permissions AKA app roles, Azure AD directory permissions, and Azure RBAC.
You can obtain application permissions using MS Graph List appRoleAssignments operation, Azure AD role assignments trough List unifiedRoleAssignments, and Azure RABC permissions using Azure REST API Permissions - List For Resource operation.
Depending on the set of permissions, you may have to list all resources to find what assignments are available for a given SP.
Upvotes: 1
Related Questions
- Query for specific Azure AD permission
- How to list Service principal permissions using powershell
- Get users and groups that have access to Azure resource
- Azure : Permission for Service Principal to get list of Service Principals
- Graph API to get all AAD Properties
- Azure: permissions to list service principals
- Get a list of groups that Azure AD user belongs to in claims
- How to list all appRoleAssignments in Microsoft Graph API or Azure AD Graph API
- Retrieve application permissions of a service principal using the AzureAD module
- Azure AD Graph API: List Directory Objects